Skip to content
  • Korean: 이 페이지는 아직 한글로 번역되지 않았습니다.

net-knockd.plugin.bash¤

knockd port knocking daemon configurations.

group:postnet | runtype:systemd | deps: - | port: -

Usage 
net-knockd help|install|uninstall|download|disable|configgen|configapply|check|run
$ net-knockd install - install knockd port knocking daemon
$ net-knockd uninstall - uninstall knockd
$ net-knockd download - download knockd package files to pkg dir
$ net-knockd disable - disable knockd plugin
$ net-knockd configgen - generate knockd configuration files
$ net-knockd configapply - apply knockd configuration files
$ net-knockd check - check knockd plugin status
$ net-knockd run - run knockd service
$ net-knockd help - show this help message
Description

Knockd is a port knocking daemon for enhanced network security through stealth port access.

Jangbi Configs¤

/opt/jangbi/.config
RUN_NET_KNOCKD=1 # enable knockd port knocking

Check if running¤

bash command
$ ps aux|grep knockd
root      12345  0.0  0.1  12345  1234 ?        S    12:34   0:00 knockd -d -i eth0
$ systemctl status knockd
● knockd.service - Port-Knock Daemon
   Active: active (running)

Current Configuration¤

Current configuration is stored in /etc/knockd.conf. it is generated by net-knockd configgen command on install. You can edit it manually and not run install or configapply commands to keep current configurations.

/etc/knockd.conf
[options]
UseSyslog
# LogFile = /var/log/knockd.log
# PidFile = /var/run/knockd.pid
Interface = eth0

# [stepCliOpenSSH]
# One_Time_Sequences = /etc/knockd.otp
# seq_timeout = 5
# start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn -j ACCEPT
# tcpflags    = syn,ack
# stop_command  = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn -j ACCEPT

[openSSH]
sequence    = 7000,8000,9000
seq_timeout = 5
command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags    = syn

[closeSSH]
sequence    = 9000,8000,7000
seq_timeout = 5
command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags    = syn

# [openHTTPS]
# sequence    = 12345,54321,24680,13579
# seq_timeout = 5
# command     = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
# tcpflags    = syn